The highest tagged major version is
Documentation
¶
Overview ¶
Package apparmorutil provides utilities for AppArmor
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanApplyExistingProfile ¶
func CanApplyExistingProfile() bool
CanApplyExistingProfile returns whether the current process can apply an existing AppArmor profile to processes.
CanApplyExistingProfile does NOT need root.
CanApplyExistingProfile checks /sys/module/apparmor/parameters/enabled ,but does NOT check /sys/kernel/security/apparmor , which might not be accessible from user namespaces (because securityfs cannot be mounted in a user namespace)
Related: https://gitlab.com/apparmor/apparmor/-/blob/v3.0.3/libraries/libapparmor/src/kernel.c#L311
func CanApplySpecificExistingProfile ¶
CanApplySpecificExistingProfile attempts to run `aa-exec -p <NAME> -- true` to check whether the profile can be applied.
CanApplySpecificExistingProfile does NOT depend on /sys/kernel/security/apparmor/profiles , which might not be accessible from user namespaces (because securityfs cannot be mounted in a user namespace)
func CanLoadNewProfile ¶
func CanLoadNewProfile() bool
CanLoadNewProfile returns whether the current process can load a new AppArmor profile.
CanLoadNewProfile needs root.
CanLoadNewProfile checks both /sys/module/apparmor/parameters/enabled and /sys/kernel/security.
Related: https://gitlab.com/apparmor/apparmor/-/blob/v3.0.3/libraries/libapparmor/src/kernel.c#L311
Types ¶
type Profile ¶
type Profile struct {
Name string `json:"Name"` // e.g., "nerdctl-default"
Mode string `json:"Mode,omitempty"` // e.g., "enforce"
}
func Profiles ¶
Profiles return profiles.
Profiles does not need the root but needs access to /sys/kernel/security/apparmor/policy/profiles, which might not be accessible from user namespaces (because securityfs cannot be mounted in a user namespace)
So, Profiles cannot be called from rootless child.
Source Files